Ticket #8976 (new defect)
Opened 2 years ago
Last modified 13 months ago
Can't restrict access to specified version of wiki page using FineGrainedPermissions
| Reported by: | Ryan Ollos <ryano@…> | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | next-minor-0.12.x |
| Component: | general | Version: | 0.11-stable |
| Severity: | normal | Keywords: | authzpolicy verify |
| Cc: | leho@… | ||
| Release Notes: | |||
| API Changes: | |||
Description
This is either a defect, or I am really misreading the documentation.
After not having any success getting the authz configuration to behave the way I was expecting under Trac 0.11.4, I setup the development environment for 0.11.7dev and did some testing.
The following configuration grants access to all versions of WikiStart, as I would expect,
[wiki:WikiStart] * = WIKI_VIEW [wiki:WikiStart@*] * =
That is, it appears that the first match is used to grant WIKI_VIEW to all versions of WikiStart, which seems to agree with the documentation.
Given that, I would expect the following configuration to grant access to only version 3 of WikiStart (there are 7 versions of WikiStart under this instance of Trac):
[wiki:WikiStart@3] * = WIKI_VIEW [wiki:WikiStart@*] * =
However, with the latter configuration, I can't access any versions of WikiStart when navigating to:
http://localhost:8000/tracdev/wiki/WikiStart?version=3
There is a Forbidden Error with:
WIKI_VIEW privileges are required to perform this operation on WikiStart
I've set the LogLevel to DEBUG and will attach the log output from trying to access the aforementioned URL.
Attachments
Change History
Changed 2 years ago by Ryan Ollos <ryano@…>
comment:1 Changed 2 years ago by Ryan Ollos <ryano@…>
When viewing the attached log, please start at line 87 to see the output from refreshing WikiStart?version=3.
I will also upload the authzpolicy.config file from the time the log was created.
Btw, I tried linking to a particular line in the attachment as can be done with files in the repository, but this doesn't seem to work. I tried: attachment:trac.log#L87. Do I have the syntax wrong, or is the feature not implemented? There is nothing in the documentation TracLinks to imply that this should work, but it seems like it should work since it does for TracLinks with a source: realm.
Changed 2 years ago by Ryan Ollos <ryano@…>
- Attachment authzpolicy.conf added
Authz policy at the time log was created
comment:2 Changed 2 years ago by lkraav <leho@…>
- Cc leho@… added
comment:3 Changed 2 years ago by Michel Jouvin <jouvin@…>
BTW, as discussed in the Google group, it'd be nice to be able to specify @HEAD to enable access only to the last version. In this case, the history menu should also be disabled.
Michel
comment:4 Changed 2 years ago by cboos
- Keywords needinfo verify added
You need to try to reproduce this on trunk, where a number of bugs have been fixed for the AuthzPolicy.
comment:5 Changed 21 months ago by Michel Jouvin <jouvin@…>
Hi,
Very late comment. I gave this another try with r9610. authz_policy seems to have had only minor changes since then. For me the problem is still the same : as soon as you add @* for a page, you cannot access any version, even though you put before a section for @n, n being a specific version of the page.
Michel
comment:6 Changed 21 months ago by cboos
- Milestone set to 0.12.1
comment:7 Changed 17 months ago by cboos
- Keywords authzpolicy added; needinfo removed
- Milestone changed from 0.12.1 to next-minor-0.12.x
comment:8 Changed 13 months ago by anonymous
I've been testing out fine grained permissions in 0.12.1 and came across this problem. In my case I would prefer not to have any history available on the pages of my project wiki that are made public. So while this is being fixed, it would be great to have a simple notation for allowing access to just the most recent version, something like @HEAD.
Log from accessing WikiStart@3